Decentralized lending platform Polter Finance suffered a devastating exploit on the Fantom blockchain, primarily wiping out most of its belongings.
The breach, found early Sunday, concerned the manipulation of the platform’s token pricing mechanisms, leaving its customers in shock.
The attacker started by funneling funds via Twister Money, an Ethereum-based coin mixer that conceals the origin of funds. These belongings have been then bridged—transferred from Ethereum to the Fantom community—the place the exploit was executed.
As soon as the breach was recognized, Polter Finance took fast motion by pausing its platform to comprise the harm and notified key bridge operators.
The pseudonymous founding father of Polter Finance, generally known as “Whichghost,” filed a police report in Singapore following the breach. The hack resulted in losses exceeding 16.1 million SGD (roughly $12 million USD).
The newly deployed sensible contract on the platform was exploited, inflicting unauthorized transactions to empty person belongings, says the report. The founder additionally reported private losses of $223,219.
Whereas the police report claims whole losses of round $12 million, different experiences from web3 safety corporations counsel the precise quantity stolen was nearer to $7 million.
In accordance with DeFi Llama knowledge, Polter Finance’s TVL was roughly $9.7 million earlier than the assault, indicating substantial losses.
In a press release on X (previously Twitter), the workforce wrote, ““We recognized wallets concerned and traced it to Binance. We’re nonetheless investigating the character of the exploit. We’re within the processing of contacting the Authorities.”
The platform was paused quickly after the exploit was recognized.
Bridges have been notified.
We recognized wallets concerned and traced it to Binance.
We’re nonetheless investigating the character of the exploit.
We’re within the processing of contacting the Authorities.— polterfinance💥 (@polterfinance) November 17, 2024
The platform additionally despatched an on-chain message to the attacker, saying the workforce could be keen to barter with out pursuing authorized motion if the stolen funds are returned.
Web3 safety specialists suppose the basis reason behind the exploit was linked to a value manipulation assault utilizing oracles—exterior knowledge feeds that platforms use to find out token costs.
Sensible contract audit agency QuillAudits shared their findings with Decrypt which reveals the vulnerability was tied with how Polter Finance calculated the worth of the SpookySwap BOO token.
“The value of the SpookySwap BOO token within the lending pool was decided by the spot value from the SpookySwap v3 pool and v2 pair; calculated primarily based on the token stability ratio within the pool,” QuillAudits advised Decrypt.
By artificially rising the value of the BOO token, the hacker might deposit a really small quantity (simply 1 BOO token) and withdraw a a lot bigger quantity of different belongings, successfully draining the platform of its funds.
“This case exemplifies a basic Oracle manipulation exploit. The BOO token value is manipulated by the attacker utilizing a flash mortgage to artificially inflate the BOO token’s value,” Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, advised Decrypt.
Polter Finance introduced it has since colllaborated with the Safety Alliance Data Sharing and Evaluation Middle (SEAL-ISAC) to trace down the hacker.
This incident provides to the rising record of safety breaches within the crypto sector. The overall quantity misplaced to the exploits has surpassed $2 billion in 2024 alone, with code vulnerabilities leading to $39.6 million in losses over 44 incidents, per a latest Certik report.
Edited by Stacy Elliott.
Each day Debrief Publication
Begin daily with the highest information tales proper now, plus authentic options, a podcast, movies and extra.